[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]







      DIGITAL ACTS OF WAR: EVOLVING THE CYBERSECURITY CONVERSATION

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                AND THE

                   SUBCOMMITTEE ON NATIONAL SECURITY

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 13, 2016

                               __________

                           Serial No. 114-138

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]











         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

25-510 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                                  
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                          Mike Flynn, Counsel
                      Cordell Hull, Senior Counsel
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                 Subcommittee on Information Technology

                       WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking 
MARK WALKER, North Carolina              Member
ROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois
                                     TED LIEU, California

                                 ------                                

                   Subcommittee on National Security

                    RON DeSANTIS, Florida, Chairman
JOHN L. MICA, Florida                STEPHEN F. LYNCH, Massachusetts, 
JOHN J. DUNCAN, JR., Tennessee           Ranking Member
JODY B. HICE, Georgia                ROBIN KELLY, Illinois
STEVE RUSSELL, Oklahoma, Vice Chair  BRENDA L. LAWRENCE, Michigan
WILL HURD, Texas                     TED LIEU, California


















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 13, 2016....................................     1

                               WITNESSES

General (Retired) Keith Alexander, CEO and President, Ironnet 
  Security
    Oral Statement...............................................     4
    Written Statement............................................     6
Mr. Aaron Hughes, Deputy Assistant Secretary for Cyber Policy, 
  U.S. Department of Defense
    Oral Statement...............................................    12
    Written Statement............................................    14
Mr. Chris Painter, Coordinator for Cyber Issues, U.S. Department 
  of State
    Oral Statement...............................................    18
    Written Statement............................................    20
Mr. Sean Kanuck, Counsel, Legal and Strategic Consulting Services 
  (Former National Intelligence Officer for Cyber)
    Oral Statement...............................................    25
    Written Statement............................................    27
Mr. Peter Warren Singer, Strategist and Senior Fellow, New 
  America
    Oral Statement...............................................    34
    Written Statement............................................    37

 
      DIGITAL ACTS OF WAR: EVOLVING THE CYBERSECURITY CONVERSATION

                              ----------                              


                        Wednesday, July 13, 2016

                  House of Representatives,
Subcommittee on Information Technology, joint with 
             the Subcommittee on National Security,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittees met, pursuant to call, at 1:06 p.m., in 
Room 2154, Rayburn House Office Building, Hon. Will Hurd 
[chairman of the Subcommittee on Information Technology] 
presiding.
    Present from Subcommittee on Information Technology: 
Representatives Hurd, Blum, and Kelly.
    Present from Subcommittee on National Security: 
Representatives DeSantis, Russell, Hice, Lynch, and Lieu.
    Mr. Hurd. The Subcommittee on Information Technology and 
the Subcommittee on National Security will come to order. 
Without objection, the chair is authorized to declare a recess 
at any time. We expect to be interrupted by a vote series later 
this afternoon, and because of that, we're going to be 
abbreviated in some of our opening statements.
    I appreciate you all being here today. Cybersecurity isn't 
a buzzword anymore. It's real. And you all's written statements 
were helpful in helping me better understand this issue, and if 
we're able to get a whole-of-government talking about this and 
making sure that we're all singing off the same page, I think 
we're going to be safer as a Nation. And I appreciate such a 
distinguished group of folks joining us here today.
    And with that, I'm going to yield to Mr. Lynch for his 
opening remarks.
    Mr. Lynch. Thank you, Mr. Chairman. I would like to thank 
Chairman DeSantis, as well, and all the members of the 
subcommittee on both sides of the aisle. This is an incredibly 
important topic, and I appreciate the all-star panel that we 
have here today to help us with our work.
    I understand that certain questions that might be raised 
today in this forum are best left for a more secure setting if 
we're going to get into any detail, and so we know that at the 
outset. To this end, I appreciate the willingness of our 
administration witnesses to conduct a classified briefing for 
committee members at a date to be yet determined. So thank you.
    As underscored by National Intelligence Director James 
Clapper in his most recent Worldwide Threat Assessment of the 
U.S. Intelligence Community, continuous innovation in cyber 
information technology has been accompanied by the emergence of 
new and complex national security threats. According to 
Director Clapper, and this is a quote, ``Devices, designed and 
fielded with minimal security requirements and testing, and an 
ever-increasing complexity of networks, could lead to 
widespread vulnerabilities in civilian infrastructures and U.S. 
Government systems.''
    These lapses in cybersecurity are highly susceptible to 
exploitation by a range of threat sources, including foreign 
governments, such as Russia, China, North Korea, and Iran, who 
are motivated by cyber espionage. There is also the threat of 
cyberterrorism perpetrated by terrorist groups designed to 
promote online recruitment, propaganda, and financing activity, 
and incite lone wolf attacks.
    The SITE Intelligence Group reports that the Islamic State 
actually maintains its own so-called Hacking Division, or 
United Cyber Caliphate, a group of prominent hackers that has 
already published several kill lists of U.S. military personnel 
online. Moreover, hackers have repeatedly targeted the U.S. 
commercial sector for illegal monetary gain and money 
laundering.
    The continuous onslaught of massive data breaches in the 
public and private sectors here in the United States and 
worldwide evidences the complexity, diversity, and far-reaching 
implications of these cyber attacks. Our national security and 
cybersecurity framework must be equipped to prevent and 
mitigate against public sector attacks, such as the critical 
breaches of information technology systems at the Office of 
Personnel Management back in 2015. These cyber attacks not only 
compromised the personal identifiable information of over 22 
million individuals, including their Social Security numbers; 
rather, as noted by FBI Director James Comey, ``They also 
yielded a treasure trove of information about everybody who has 
worked for, tried to work for, or works for the United States 
Government.''
    The past few years have also witnessed breaches of computer 
systems at the State Department, the White House, the Internal 
Revenue Service, and the United States Postal Service, as well 
as reported leaking of sensitive information pertaining to 
employees at the Department of Homeland Security and the FBI.
    At the same time, our cybersecurity defenses must be able 
to deter and respond to threats targeting private sector 
companies motivated by illicit financial gain. It's my 
understanding that the Federal Reserve is currently leading 
other U.S. regulators in developing baseline security 
safeguards for U.S. banks in the wake of a February 2016 attack 
in which cyber criminals successfully transferred $81 million 
out of the Bangladesh central bank to a casino in the 
Philippines.
    We've also witnessed the infiltration of computer networks 
at JPMorgan Chase that compromised the account information of 
83 million households and businesses; a $62 million breach at 
Home Depot that compromised an estimated 56 million payment 
cards; and multiple cyber attacks against the Target retail 
chain that resulted in the theft of approximately 40 million 
credit and debit card numbers and the personal information of 
up to 70 million customers.
    Clearly, the national security threat posed by cyber 
attacks is multifaceted and demands the continual development 
of cybersecurity policies and countermeasures that are 
adaptable, modernized, and comprehensive. I look forward to 
discussing with our witnesses at today's hearing what steps we 
are taking in this regard.
    Thank you, Mr. Chairman, and I yield back.
    Mr. Hurd. I'd like to thank the ranking member of the 
Subcommittee on National Security for his opening statement. 
And now I'd like to recognize my friend from the State of 
Florida, the chairman of the Subcommittee on National Security, 
Mr. DeSantis, for his opening remarks.
    Mr. DeSantis. Thank you, Mr. Chairman. I thank the 
witnesses. I'm not going to give a full statement in the 
interest of time. I'd like to hear from the witnesses and get 
as much done until we have votes. But I will say that this is a 
very, very important part of our national security challenges 
and strategy, and it's only going to continue to be something 
that's more prevalent.
    So I appreciate the chairman calling the hearing, and I 
look forward to hearing from the witnesses. And I yield back.
    Mr. Hurd. One of the areas we all talk about when it comes 
to national security strategy is the four levers of national 
security: diplomatic, intelligence, military, and economic. And 
one of the reasons we composed this panel this way is because 
of that. And we have DOD here, State Department.
    Thank you, Mr. Kanuck and General Alexander, for your 
previous time in the intelligence community and now also 
representing the commercial sector as well, and, Mr. Singer, 
your work in this effort. So I think it's going to be a great 
conversation, and it is something important that we need to do.
    And we recognize that the intent is to not get into 
classified information here, but I think General Alexander said 
it best in his written statement, that, ``Without much public 
discussion,'' I'm reading from his words, ``of our basic cyber 
capabilities, particularly on offense, we face two major 
challenges: It is difficult to have a reasoned discussion of 
how we might respond--at least in the cyber domain--and it is 
that much harder to deter offensive actions by others.'' So I 
think having a public discourse is important in the larger 
strategy.
    And what we will do is, we're going to recognize General 
Alexander for your opening remarks, and then we'll have Ranking 
Member Kelly deliver hers.
    Actually, before we begin, we want to hold the record open 
for 5 days for members who would like to submit a written 
statement.
    And now I would like to recognize our witnesses. I'm 
pleased to welcome Mr. Aaron Hughes, deputy assistant secretary 
for cyber policy at the U.S. Department of Defense. Mr. Chris 
Painter, coordinator for cyber issues at the U.S. Department of 
State. Had a long, illustrious career at the Department of 
Justice as well, and White House, NSC, you name it.
    Mr. Painter. Thank you, Mr. Chairman.
    Mr. Hurd. General Keith Alexander, retired, CEO and 
president--he's a retired general, but now CEO and president of 
IronNet Cybersecurity, former head of the NSA, ran CYBERCOM as 
well. Mr. Sean Kanuck, counsel at Legal and Strategic 
Consulting Services and former national intelligence officer 
for cyber. And Mr. Peter Warren Singer, strategist and senior 
fellow at New America.
    Welcome to you all. And pursuant to committee rules, all 
witnesses will be sworn in before they testify. So please rise 
and raise your right hand.
    Do you solemnly swear or affirm the testimony you're about 
to give will be the truth, the whole truth, and nothing but the 
truth?
    Thank you. Please be seated.
    And let the record reflect that all witnesses answered in 
the affirmative.
    In order to allow time for discussion, please limit your 
testimony to 5 minutes, and your entire written statement will 
be made as part of the record.
    General Alexander, you're up first. You're now recognized 
for 5 minutes.

                       WITNESS STATEMENTS

                  STATEMENT OF KEITH ALEXANDER

    Mr. Alexander. Mr. Chairman, distinguished members of the 
committee, Mr. Chairman, Mr. Vice Chairman, Mr. Vice Chair, 
it's an honor and privilege to be here before this committee. I 
think what you're taking on is vital for our country. And it's 
also an honor and privilege to be here with my esteemed 
colleagues from the past. Aaron, I think we've all been 
together, and Peter and I were on a committee just a few months 
back. So it's an honor to be here.
    I'm going to hit mine rather quick. I recognize the 
classification issues that you raised, Congressman. I know that 
it's important that we don't raise those in public. But I do 
think we have to have a debate. I'm not proposing any red lines 
anywhere. I'm proposing that we start the debate in an informed 
way, where you, Congress, the administration, and the American 
people can engage in how we're going to work in cybersecurity.
    There has been a lot of effort in that area with what my 
colleagues, Chris and others have done, but I think we have to 
go further. I'm going to briefly hit the top issues that I see 
that our government and our country need to take on, especially 
when you look at what NATO is doing, now recognizing cyber as a 
domain of warfare. We need to be out in front.
    And it reminds me, when Chris was in the Department of 
Justice back in the 1960s, he worked with McNamara, and if you 
think about McNamara's approach on the nuclear deterrence, can 
we come up with a strategy for cyber that's equal to that?
    Congressman Lynch pointed out some great issues that we see 
every day in cyber, from Home Depot to Target to everything 
that's going on. Companies are being hammered. We passed 
legislation recently that helps the companies, commerce, and 
government work together. It's a step in the right direction. 
But much more needs to be done.
    Look at the change in technology, what's going on today, 
how rapidly this is changing. And if you look at the 
projections for the Internet of Things by 2020, there'll be 4 
to 10 times as many devices on the Internet as there are people 
on the planet. This is a huge capability and a huge problem.
    Now, when we look at, ``So what are we going to do about 
it?'' think about the threats that Mr. Lynch pointed out. 
Criminal activities in cyberspace are growing and continue to 
grow. This year the biggest growth will be in ransomware. I 
think we're going to see that come out, and this is going to be 
huge for our companies out there, especially the small and 
midsize who can't afford world class capabilities.
    And so it really gets us to a point where we've had in 
other committee hearings, so what do we do, how do government 
and industry work together? What's the role of government, 
what's the role of industry, and how do we share?
    I'm not going to give you my ``you have to do it this way 
or this way,'' but I do think from where you sit in this 
institution, to help start that discussion and create what you 
think from congressional oversight you believe needs to be 
done. Some thoughts on that as we move forward.
    Who's responsible for defending the Nation when we come 
under attack? If you think about Sony being attacked, Sony has 
no capability to fire back. In fact, if we think about Sony 
firing back, we quickly get to the realization that if Sony 
fires back, that could get us into a war on the Korean 
Peninsula. We don't want that to happen. That's an inherently 
government responsibility.
    If it's a government responsibility, that means government 
needs to be able to fire back when appropriate, when the 
administration, the President and the Secretary, determine. We 
can't see what's happening. The government can't see what's 
happening to Sony in time to do that.
    So the first thing is bridging that gap of sharing 
information between government and industry so that government 
can do its first job in defending our country. We've got to 
start that debate. It's been hampered by Snowden and others, 
but it's something that I think it's important for you and the 
rest of the administration to take on with our country and with 
our allies.
    Second, if we get to a point where our country comes up 
with the right framework, what would we want to push NATO to 
set as theirs? And we, our country, developed the Internet. 
We're the ones who started this. We ought to lead in securing 
it and coming up with the McNamara approach for how we're going 
to defend and deter in the same space.
    And so what I really think we need to do is start that 
discussion without any preconceived notions about where it will 
take us, but put the best minds in there and say: Here's what 
we want to do. We want to stop these types of attacks on our 
industry. We want to ensure that our allies have the same sense 
and purpose, especially where we have alliances, and that we're 
all in agreement.
    And so from my perspective, Mr. Chairman, I'm glad that 
you've taken this on. I see I'm out of time, so I'll cease work 
there, and thank you very much.
    [Prepared statement of Mr. Alexander follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
    Mr. Hurd. Thank you, General Alexander.
    Now it's always a pleasure to introduce my friend and 
colleague from the great State of Illinois, Ms. Robin Kelly, 
the ranking member of the Subcommittee on IT.
    Ms. Kelly. Thank you, my friend.
    I'd like to thank Chairman Hurd and Chairman DeSantis for 
calling this hearing so that the committee and the American 
people can get a better understanding of when a cyber attack 
should be considered an at act of war and how the United States 
might respond when that happens.
    The cyber threats facing the United States are increasing 
in severity, opening the Nation to the possibility of extremely 
damaging cyber strikes that could potentially threaten the U.S. 
Economy and endanger American lives.
    General Alexander, in your 2014 testimony before the Senate 
Committee on Armed Services you warned, and I quote, ``Those 
attacks are coming, and I think those are near term, and we're 
not ready for them.''
    In fact, we are already seeing the first salvos of digital 
attack reaching beyond the cyber realm. In March of this year, 
seven members of Iran's Revolutionary Guard Corps hacked into 
the control system of the Bowman Avenue Dam in Rye Brook, New 
York. In response to the compromise of the dam's cyber network, 
Paul Rosenberg, the mayor said, and I quote, ``It's ridiculous 
how little that dam is, how insignificant in the grand scheme 
of things. We're not talking about something vital to the 
infrastructure of the country.''
    While May's attack may not have targeted the Nation's vital 
critical infrastructure, it's almost certain that future 
attacks will, and when that does happen, how do we react? Do we 
hack the hackers, or do we respond with physical force? This 
isn't the first time Congress and the intelligence community 
have tried to answer that question.
    It is important that we recognize that the global nature of 
the Internet requires the U.S. to establish solid partnerships 
throughout the international community so that every nation 
understands that there are consequences for unacceptable cyber 
behavior. The problem is that by laying out in a public forum 
what constitutes unacceptable, we open the possibility that our 
adversaries know where the tripwires lie across which they 
can't step.
    That's why I'm pleased the chairman has arranged for 
committee members to receive a classified briefing to better 
understand where that line is and how we respond when our 
enemies cross that line.
    And again, I'd like to thank the chairman for calling this 
hearing and our witnesses for being here today.
    Mr. Hurd. Thank you, Ms. Kelly.
    Now we'll go to Mr. Hughes for your 5 minutes of opening 
statements.

                   STATEMENT OF AARON HUGHES

    Mr. Hughes. Thank you, Chairmen Hurd and DeSantis, Ranking 
Members Kelly and Lynch, and members of the subcommittees. I'm 
pleased to testify today on the Department of Defense's 
strategy as it relates to cyberspace and how the Department 
approaches cyber incidents. It is an honor to be here, and I'm 
proud of the progress we have made in this challenging domain.
    Since DOD's Cyber Strategy was signed in April of 2015, the 
Department has devoted considerable resources to implementing 
the goals and objectives outlined within the document. When 
Secretary Carter signed the Strategy, he directed the 
Department to focus its efforts on three primary missions in 
cyberspace. First, to defend DOD networks, systems, and 
information to assure DOD missions. Second, to defend the 
United States against cyber attacks of significant consequence. 
And to provide integrated cyber capabilities in support of 
military operations and contingency plans
    Another key aspect of our strategy is deterrence. DOD is 
supporting a comprehensive whole-of-government cyber deterrence 
strategy to defer attacks on U.S. interests. This strategy 
depends on the totality of U.S. actions, to include declaratory 
policy, overall defensive posture, effective response options, 
indications and warning capabilities, and the resilience of 
U.S. networks and systems.
    That said, incidents described as cyber attacks or computer 
network attacks are not necessarily armed attacks for the 
purposes of triggering a nation-state's inherent right of self-
defense. When determining whether a cyber incident constitutes 
an armed attack, the U.S. Government considers a broad range of 
factors, including the nature and extent of injury or death to 
persons and the destruction of or damage to property. As such, 
cyber incidents are assessed on a case-by-case basis, and we 
would use a whole-of-government approach in responding to and 
deterring future malicious activities in cyberspace.
    The fact of the matter is that we face diverse and 
persistent threats in cyberspace from state and nonstate actors 
that cannot be defeated through the efforts of any single 
organization. Our increasingly wired and interconnected world 
has brought prosperity and economic gain to the United States, 
while our dependence on these systems has left us vulnerable to 
the evolving threats posed by malicious cyber activity.
    While DOD maintains and uses robust and unique cyber 
capabilities to defend our networks and the Nation, that alone 
is not sufficient. Securing our systems and networks is 
everyone's responsibility and requires close collaboration with 
other Federal departments, our allies and partners 
internationally, and the private sector to improve our Nation's 
cybersecurity posture and to ensure that DOD has the ability to 
operate in any environment at any time.
    The Department is committed to enhancing the resilience of 
our networks and systems and defending the U.S. homeland and 
U.S. interests from attacks of significant consequence that may 
occur in cyberspace. I look forward to working with these 
committees and the Congress to ensure that DOD has the 
necessary capabilities to carry out our roles and missions in 
cyberspace and to keep our country safe. I thank you for the 
support in these efforts, and I look forward to your questions 
this afternoon.
    Thank you.
    [Prepared statement of Mr. Hughes follows:]
    
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
 
    
    
    Mr. Hurd. Thank you, Mr. Hughes.
    Mr. Painter, you're now recognized for 5 minutes.

                   STATEMENT OF CHRIS PAINTER

    Mr. Painter. Chairmen Hurd and DeSantis, Ranking Members 
Kelly and Lynch, members of the Subcommittees for Information 
Technology and National Security, thank you for the opportunity 
to speak to you today. I will discuss the framework for 
stability in cyberspace at the State Department, in particular 
it's working to promote internationally, but with our partners. 
I will also cover some of the other topics that were raised in 
your invitation.
    The Department of State, working with our interagency 
partners, is guided by the President's 2011 International 
Strategy for Cyberspace, which sets out a strategic framework 
of international cyber stability designed to achieve and 
maintain a peaceful cyberspace environment where all states are 
able to fully realize its benefits, where there are advantages 
to cooperating against common threats and avoiding conflict, 
and where there is little incentive for states to engage in 
disruptive behavior or to attack one another.
    This framework has three key elements. First, the 
affirmation that existing international law applies to state 
behavior in cyberspace. Second, the development of an 
international consensus on and promotion of additional 
voluntary norms of responsible state behavior in cyberspace 
that apply during peacetime. And third, the development and 
implementation of practical confidence-building measures, or 
CBMs, among states.
    Although many of the elements of this framework may seem 
self-evident to a U.S. audience, especially a sophisticated 
one, cyber issues are still new to many states, and there are 
also states that hold alternative views of how to promote cyber 
stability. Notwithstanding these headwinds, as well as the fact 
that diplomatic negotiations on other issues can take many 
years, if not decades, the United States and its partners have 
made substantial and really big progress in recent years toward 
advancing our strategic framework for international cyber 
stability.
    Since 2009, the United Nations Group of Governmental 
Experts on International Security Issues in Cyberspace, or the 
UN GGE, has served as a productive and groundbreaking expert-
level venue for the United States to build support for this 
framework through three consensus reports in 2010, 2013, and 
2015. I should emphasize the U.S. has been the leader here. The 
conclusions captured in those reports have in turn been 
endorsed by political leaders in a range of settings, including 
most recently at the G-20 leaders summit in Turkey.
    Given the title of this hearing, ``Digital Acts of War,'' I 
would like to discuss how the U.S. Government thinks about 
these issues, which is consistent with its broader approach to 
promoting stability in cyberspace through the prism of existing 
international law
    As an initial matter, the United States has been clear that 
it believes that cyber activities may, in certain 
circumstances, constitute an armed attack that triggers our 
inherent right to self-defense as recognized by Article 51 of 
the U.N. Charter. The United States has described publicly how 
it will evaluate whether a cyber activity constitutes an armed 
attack under international law. Of primary importance to such a 
determination are the actual or anticipated effects of a 
particular incident.
    When determining whether a cyber activity constitutes an 
armed attack sufficient to trigger a state's inherent right to 
self-defense, the U.S. Government believes a state should 
consider the nature and extent of the injury or death to 
persons and the destruction of or damage to property, an 
effects-based test.
    It is worth emphasizing that this is a case-by-case, fact-
specific inquiry, whether the events in question occur in 
cyberspace or elsewhere. As a general matter, states have not 
sought to define precisely or state conclusively what 
situations would constitute armed attacks in other domains, and 
there is no reason cyberspace should be different. In fact, 
strategic ambiguity could very well deter most states from 
getting close to the threshold of an armed attack.
    Finally, I would hasten to note that regardless of whether 
a particular incident rises to the level of an armed attack, we 
have a range of options for responding. The U.S. Government 
uses a whole-of-government approach to responding to and 
deterring malicious activities in cyberspace that brings to 
bear its full range of instruments of national power and 
corresponding policy tools--diplomatic, law enforcement, 
economic, military, and intelligence--as appropriate and 
consistent with applicable law in particular cases.
    As suggested in the invitation for this hearing, public 
attribution is one such option. In cases where actors 
responsible for a particular incident have been determined, the 
U.S. Government will consider whether to identify those actors 
publicly when we believe it will further our national interest, 
including our ability to hold those actors accountable. 
However, the U.S. Government will also maintain flexibility to 
avail itself of the full suite of options that we have.
    In closing, I would like to thank the two subcommittees for 
giving me an opportunity to speak on such a relevant and timely 
set of issues. Despite the threats we face in cyberspace, I 
know that we are all committed to maintaining and promoting an 
open, interoperable, secure, and reliable Internet in the face 
of these threats that we can all continue to benefit from.
    On a personal note, I've been involved in these issues, as 
the chairman has mentioned, for the last 24 years now, almost 
25, and I'm very pleased to see that they are getting the 
attention as a policy priority both within the U.S. and around 
the world, and I certainly think we've made a lot progress in 
having the kind of conversation that was discussed earlier. And 
I look forward to your questions.
    [Prepared statement of Mr. Painter follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
      
    Mr. Hurd. Thank you, Mr. Painter.
    Mr. Kanuck, you're now recognized for 5 minutes.

                    STATEMENT OF SEAN KANUCK

    Mr. Kanuck. Thank you very much, Chairman Hurd, Chairman 
DeSantis, Ranking Member Lynch, Ranking Member Kelly, and 
distinguished members of Congress. It is indeed a pleasure to 
be here and contribute to this important discussion.
    Having looked at it as an academic, as a professional 
international attorney, and as a national intelligence officer 
for 5 years until last May, I come with a genuinely strategic 
and analytic approach. I have not been involved in policy 
formulation directly in the past. And I concur with my 
colleagues about the importance of this topic, and after 15, 20 
years of my own experience, I, too, am excited to see the 
public and congressional attention being paid to this important 
issue.
    I will offer, however, that as a Nation we still lack both 
a strategic approach to this problem and a practical, effective 
set of solutions to deter malicious and adversarial behavior in 
cyberspace, and that itself is illustrated by the myriad cyber 
attacks we read about each year that are perpetrated by a range 
of state and nonstate actors.
    In my written testimony, I address several of the questions 
that my colleagues have also mentioned, so let me very briefly 
say that I concur with Mr. Hughes and Mr. Painter that digital 
acts of war will be judged through an effects-based analysis. 
In my academic work since 1996, I've held that position, and I 
do agree with the U.S. Government representatives here today 
that that is the correct approach.
    Regarding the issue of attribution challenges, I will note, 
in my analytic work for the intelligence community we looked at 
two considerations. We looked at the technical or forensic 
aspects--network investigations, malicious software, reverse 
engineering, and other digital footprints--in addition to what 
I term analytic attribution, where you looked at the 
geopolitical context within which malicious cyber events 
happen.
    In many cases, the context, the identity of the target, and 
how the information that was stolen, compromised, or made 
unavailable is used or leveraged can oftentimes tell you about 
the motivation and possibly the actor. That's from the analytic 
and technical attribution side.
    A completely distinct question is whether or not one would 
seek to do public attribution, and that is inherently a policy 
question for policymakers. It has three components, in my 
opinion.
    There's the question about the bilateral relationship with 
any entity you may accuse of an action. Cyber does not occur in 
its own stovepipe or domain. It's a part of much larger 
international and bilateral relationships.
    Secondly, the decision of whether or not to compromise 
sources and methods of intelligence in order to prove, 
evidentiary, why that attribution assessment is being offered 
publicly. Obviously, there would be policy reasons to not 
disclose certain intelligence capabilities, especially in a 
context where those capabilities may be perishable and they may 
be the exact same platforms or accesses that one may use for a 
retaliatory capability.
    So it's almost a double negative potential if you choose to 
publicly attribute in that context because you don't have 
separate reconnaissance platforms in all cases and separate 
retaliatory platforms the way you would have had in a nuclear 
context, for example.
    Last of all, as I believe Ranking Member Kelly may have 
mentioned, the issue of credible threats and credible 
deterrents. If you are not prepared or capable of exacting 
satisfaction upon accusing or attributing an action to someone, 
what does that do for your global reputation and the import of 
any of your declaratory statements?
    Those three very important policy questions are very 
distinct from the technical attribution questions, but equally 
important from a policy perspective.
    I will also commend the U.S. diplomats who have had what I 
think are great successes in the U.N. Group of Governmental 
Experts, the G-20, OSCE, and with particularly President Xi and 
the People's Republic of China. However, I am not personally 
convinced that diplomatic overtures directly translate into 
changes of behavior, particularly when Western countries like 
the United States continue to have fundamentally different 
objectives for international cybersecurity than certain other 
nations, such as Russia and China, and my written statement 
addresses some of that basal difference.
    I will also offer that I see a de facto norm today, which 
is: Do cyber operations, do them clandestinely, and try to get 
away with them, you might not be punished. And, in fact, 
Director Clapper's testimony in 2016 read, ``Many actors remain 
undeterred from conducting reconnaissance, espionage, and even 
attacks in cyberspace because of the relatively low cost of 
entry, the perceived payoff, and the lack of significant 
consequences.''
    My time has concluded, so I will leave that there for now. 
Thank you very much. And once again, thank for the invitation 
to participate.
    [Prepared statement of Mr. Kanuck follows:]
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
  
    
    
    Mr. Hurd. Thank you, Mr. Kanuck.
    Mr. Singer, you are now recognized for 5 minutes.

                STATEMENT OF PETER WARREN SINGER

    Mr. Singer. Mr. Chairman, Ranking Members, and members of 
the subcommittee, it's an honor to speak at this important 
discussion today designed to reboot the cybersecurity 
conversation. This shift is direly needed as there is perhaps 
no national security problem more 21st century in its 
definition and form than cybersecurity, and yet, to solve it, 
too much of our discussion and strategy remains rooted in 20th 
century frameworks that don't well apply.
    I've submitted written testimony that breaks down the issue 
and what we can do about it. It focuses on the debate over 
digital acts of war and explains in detail how there are seven 
key differences with the cold war that make framing this 
problem in the old modes not ideal. It then provides a 
suggested new legislative strategy to face our challenge, 
breaking it down into key areas I'll focus on today.
    Notably, the strategy is nonpartisan, realistic in its 
implementation possibilities, and doesn't involve any massive 
increase in budget.
    The first key part of the strategy is deter through 
diversity. This includes improving our offensive cyber 
capability, but importantly, understanding that cyber weapons 
are not like WMD. They are tools of constant use in everything 
from espionage to ongoing operations against ISIS.
    Our real challenge here is more in integrating emerging 
cyber capabilities with our other conventional capabilities 
through improving training, doctrine building, and resolving 
command and control questions.
    But as we face an array of attacks and attackers, a 
military offensive cyber response is not the only tool that we 
have to change their calculations. For instance, to respond to 
IP theft, it makes no sense to limit ourselves to retaliation 
with the exact same action in the same domain. We can also go 
after other assets that are valued by the attacker in other 
realms and even those valued by influential third party actors, 
such as sanctioning companies benefitting from stolen fruit.
    Indictments of individuals involved in hacking have value 
not so much in actual direct judicial punishment, but as a 
different means for surfacing data about attribution. 
Creativity and flexibility will beat simplicity in this 
dynamic. Indeed, we may even steal ideas from one attacker's 
playbook and apply them against another as a deterrence tool.
    From Snowden to Sony, data dumps have been among our most 
vexing cybersecurity incidents, but they have not threatened 
our core national interests. By contrast, threatening to reveal 
the private financial data of an authoritarian regime's leader, 
his family, or allied oligarchs may be far more potent than a 
counter cyber strike. We can sometimes see what regimes fear 
most by what they ban discussion of.
    The second and arguably most important part of the strategy 
is deterrence by denial, making attacks less likely to cause 
harm, and thus, less likely to happen. The magic word of 
resilience is that it works against any kind of attacker and 
attack, and it's perhaps where Congress and this committee can 
have the most impact.
    The areas that call out for action cover the spectrum. On 
the military side, we have spent over $2 billion on 
construction alone at Fort Meade, and yet the Pentagon's own 
weapons tester found, quote, ``significant vulnerabilities,'' 
end quote, in nearly every major weapon system program that 
would be exploited in any actual war.
    In the executive branch, the White House has issued a post-
OPM cybersecurity strategy that describes best practices every 
Federal agency needs to put in place. Ensuring their actual 
implementation at every Federal Government agency and 
encouraging their spread to the State and local level could be 
one of the most important things that Congress does on 
cybersecurity.
    In relation to the business and public, sometimes 
government can be a trusted information provider and sometimes 
it must go further to help shape individual and market 
incentives, as it has in realms that range from public health 
to transportation. The government should not merely support 
research on basic standards of Internet security, such as the 
laudable NIST process, but now work to ensure their use. It can 
do so by efforts to spur the nascent cybersecurity insurance 
market that both protects business and incentivizes them to 
find and maintain best practices.
    True cybersecurity resilience is not just about computer 
and legal code. It's also about people, and we have a huge 
people gap here. The administration has a new Cybersecurity 
Human Resources Strategy, but it needs to, one, be overseen to 
ensure actual implementation, particularly across 
administrations, and two, it will fail if it only puts new 
people in old organizational boxes.
    We also have to find ways to tap talent outside of 
government. Take the Pentagon's recent 1 month experiment with 
bug bounties. It saved millions of dollars, yielded 1,100 
reports on how to protect our systems before the bad guys could 
attack them, and it talent scouted across the U.S. One of the 
hackers working for us was an 18-year-old who did it in his 
spare time while taking his AP exams. Yet there is not a 
parallel at other Federal agencies, nor at our State and local 
partners.
    Or consider that we have retasked a number of National 
Guard units to become cyber warriors, but there is a wealth of 
talent that is either unwilling or unable to meet the legal and 
physical obligations that come with joining the U.S. military. 
Here I would point to Estonia's Cyber Defense League as a model 
to draw on. Think of it as the cybersecurity equivalent to the 
Civil Air Patrol, creating a mechanism for citizens to 
volunteer their expertise for cybersecurity to aid--for free--
in everything from red teaming to serving as rapid response 
teams to cyber attack. They have helped Estonia become one of 
the most cyber-resilient nations in the world.
    The third role of the strategy, I won't hit. It's norms. 
It's in the submission. I think it's been covered well here.
    I would end just simply by saying we can either approach 
this topic with a new strategy that faces our new needs or we 
can continue to talk tough and simple and be victims.
    Thank you.
    [Prepared statement of Mr. Singer follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
      
    Mr. Hurd. Thank you, Mr. Singer.
    I would now like to recognize Mr. DeSantis for 5 minutes of 
questioning.
    Mr. DeSantis. Thank you, Mr. Chairman.
    General Alexander, how do you view the distinction, if you 
think there's one, between the threat from state-sanctioned 
cyber attacks versus nonstate actors who are trying to attack 
us in cyberspace?
    Mr. Alexander. I would not make a distinction based on the 
impact to our Nation. And I think that's an extremely important 
question you bring out, because it really says: What's the role 
of government in protecting this country. And it doesn't matter 
who takes down the financial sector, the energy sector, the 
healthcare sector. If it goes down, that's critical to our 
Nation.
    So the consequence and the approach in our strategy has to 
discuss both. We learned that in 9/11. While there may not be 
direct ties to this or direct linkage back, I think that's the 
approach that we should take--look at what the impact to the 
Nation would be.
    Mr. DeSantis. And I agree with that in terms of trying to 
prevent that. How, though, if there is a successful attack, how 
do you then respond if there are, in fact, nonstate actors who 
are responsible? After 9/11, I think that's actually a good 
framework to think about it, the policy was, look, if you're a 
state actor, you may not have committed the attack, but if 
you're harboring terrorists who are going it, we're going to 
hold you liable.
    Does that same framework, will that work in cyberspace? 
Because it would seem to be difficult that a government would 
be able to have a handle on everybody who's operating in 
cyberspace.
    Mr. Alexander. Right. So you've asked a great question in 
that, because it also gets you back to our strategy. And the 
strategy can't be: What are we going to do after an attack? 
It's really what you're hitting on, is we can't afford to allow 
that kind of attack to occur. And so what it really does is it 
says we're going to shape our strategy on preventing, not on 
forensics.
    Now, forensics are important, we do have to go through, but 
if everything is based on after-the-fact forensics, then you're 
already lost something. And what you're really getting to is we 
need a defensive strategy that stops that from happening.
    And I would take it one step further. We look at the theft 
of intellectual property, the greatest transfer of wealth in 
history. That's taking our future away from us. How do we 
defend against that? And I believe that's where government and 
industry need to work together.
    I like Peter's approach about working together with 
industry. We need to make a more secure cyberspace. And all the 
rules that we could put in with State, with DOD, but it has to 
be a linkage to the commercial side. They own the vast majority 
of the networks.
    Mr. DeSantis. Mr. Kanuck, you talked about how people in 
cyberspace could be doing espionage, typical things that 
governments do. They could also be doing it, which would be 
considered more of an attack along the lines of an act of war.
    So do we have the forensic ability to determine whether a 
particular measure was meant or compromise was an attack versus 
a form of espionage, and how does that impact our ability to 
calibrate our response?
    Mr. Kanuck. In response to particular incidents, there are 
usually ad hoc investigations dealing with the particular 
circumstances. It is very difficult to divine the intentions of 
would be adversaries or actors in specific instances. Often you 
might derive that information from other sources of 
information, intelligence collection and other areas, to know 
what actors' objectives may have been. Simply looking from the 
forensic data, if you are able to see what was exfiltrated and 
where it went and how it was later used, that may give you a 
sense of the objectives.
    I will simply offer that in the real-time context of an 
ongoing incident, where you would want to be responding in a 
policy or military sense in real time, that will be a very high 
challenge for real-time attribution, and to motivation as well. 
If you are permitting policy responses days, weeks, months 
later when you do have a higher degree of attribution, that may 
be possible, but it is not a certainly that you always know who 
did it and why.
    Mr. DeSantis. Great.
    Mr. Singer, we're hearing more about nonstate actors, 
terrorist groups, criminal groups using sophisticated toolkits 
to launch cyber attacks. So, first of all, are sophisticated 
cyber capabilities finding their way to less sophisticated 
actors? Are we seeing evidence of that?
    Mr. Singer. Yes, they are. They proliferate. However, I 
think we still need to recognize that states are the big dog in 
this, both because of their higher technical capability, so, 
for example, ISIS was mentioned, lethal group in lots of 
different ways, but their cyber capability pales compared to 
China or Russia.
    The second is the scale that a state can bring to the 
problem. So it's not just sophistication. It's the ability to 
mobilize thousands, tens of thousands or hundreds of thousands 
of people in the community if you are carrying out an attack.
    States are a fundamentally different challenge here than 
nonstate actors. Fortunately, on the good side, states have 
interests, and so they can be deferred in a different way than 
many nonstate actors can't, so we shouldn't bundle them 
together.
    Mr. DeSantis. Thanks. My time has expired, and I yield 
back.
    Mr. Hurd. General Alexander, do you want to answer that?
    Mr. Alexander. Yeah, Mr. Chairman. I would recommend, based 
on what Chairman DeSantis brought up, that the committee might 
consider getting a briefing or a demonstration of the dark Web. 
It answers the question that you were just asking: What's 
available for hackers out there, what do they do to buy it, and 
how are they getting their materials? And there are companies 
that have some of these demonstrations that I think you would 
find extremely informative on just that question: How is it 
proliferating?
    Mr. Hurd. Thank you, General.
    And we're going to recognize Ms. Kelly for her 5 minutes of 
questions, and then we'll go into recess for votes.
    Ms. Kelly. Thank you, Mr. Chairman.
    Mr. Singer, in a December 2015 article for Foreign Policy 
magazine's Web site, you said that government strategies for 
responding to cyber threats is based on assumptions and plans 
made for the cold war threats that are 30, 40, 50 years old. Is 
that accurate?
    Mr. Singer. Yes.
    Ms. Kelly. Okay.
    Deputy Assistant Secretary Hughes, during the cold war, our 
strategy of mutually assured destruction was based on the fact 
that we could tell instantly if the Soviets fired an 
intercontinental missile. Is that correct?
    Mr. Hughes. Yes.
    Ms. Kelly. Is it equally obvious to figure out where a 
cyber attack originates?
    Mr. Hughes. I think, as Mr. Kanuck said, there's many 
factors that go into that attribution and determination. So I'd 
say it's probably not as instantaneous as it was during the 
cold war.
    Ms. Kelly. And why do you think that is? Just because there 
are so many factors?
    Mr. Hughes. The number of factors, there's a number of 
actors, diverse operators on the Internet, makes it extremely 
difficult.
    Ms. Kelly. Okay. Thank you.
    Mr. Singer, unlike during the cold war, you said, when 
considering responses to a cyber attack, and I quote, ``the 
defender's best move may well not be to strike back as rapidly 
as possible, but to show no outside awareness of the ongoing 
attack.''
    Deputy Assistant Secretary Hughes, why might the U.S. 
choose not to respond to a cyber attack?
    Mr. Hughes. Well, ma'am, I think it goes to points that my 
colleague Mr. Painter made in terms of what our response might 
be. I think there's a number of factors from foreign policy 
implications and the like that we want to make a determination 
on response on a case-by-case basis.
    Ms. Kelly. So the main question of this hearing is, when do 
we strike back against an adversary for a malicious cyber 
attack? Taking it one step further, when do we respond with not 
just a cyber attack of our own, but possibly missiles and 
tanks?
    Mr. Singer, you said that we need to think differently 
about our response to cyber attacks, and I was trying to write 
down everything you said. You talked about deter through 
diversity, sanctions, indictments, being creative and flexible, 
maybe revealing finances of our enemy. Any other strategies you 
want to add? You talked about HR and talents to bring aboard.
    Mr. Singer. There's a whole series of things, but I think 
the key here is to recognize, when we're talking about the 
attacks, there is a wide array of them, so the attack on us 
might be anything from intellectual property theft to 
espionage, stealing of a state secret, to our feared scenario 
of something that causes mass loss of life.
    The first two, traditionally, have not been defined as acts 
of war. The third may meet that definition. And then in no way, 
shape, or form would we want to limit ourselves to a merely 
cyber response to it. We would want to have all the tools 
there.
    The other issue here is the timing. Part of why you may 
choose to delay your response is not just the normative 
questions. It's to complicate the attacker's job. If you know 
that they're inside your system, you can then observe them, 
steer them into areas where they can't cause harm.
    The bottom line here is that we're going to need a very 
creative and diverse strategy, and the old kind of cold war 
model of whacking back if they hack us just won't be 
successful. It won't deliver actual cybersecurity.
    Ms. Kelly. Thank you.
    Mr. Hughes and Mr. Painter, how do you respond?
    Mr. Painter. I'd say a couple of things. First of all--and 
this also goes to Chairman DeSantis' question--we do have a 
range of tools in our toolkit. So, yes, hacking or using cyber 
offensive operations could be one. Using kinetic operations may 
be another, depending on what the incident is. We said in our 
international strategy in cyberspace back in 2011, we have the 
full range of tools we'll use if the incident is significant 
enough, including diplomatic, including economic, including 
cyber tools, including kinetic tools in appropriate 
circumstances. We'll try to exhaust the law enforcement and 
network security tool first.
    I also quite agree that part of this is--I'd push back 
against the view that we are looking at this from a nuclear 
perspective or one that's from 50 years ago. I think one of the 
things we've been doing and spending a lot of time on is 
looking at this whole-of-government approach where we're really 
looking at new capabilities, new tools, making sure we're 
inculcating this throughout not just our government, but NATO 
was mentioned, making sure that NATO has this as part of their 
strategic concept, making sure that other countries understand 
this and we have more of a collective defense.
    That's exactly what we're trying to do. And when you're 
talking about the criminal threat, I agree with General 
Alexander that it's not--you know, you look at the effects. The 
effects might be the same, but the tools you use to respond 
might be different. If it's a nation-state, you have certain 
tools. It it's a criminal group, you might be using law 
enforcement investigatory tools.
    Ms. Kelly. Do you have anything much different, because my 
time is running out? Is there anything else?
    Mr. Hughes. No, I think Chris hit it right on the head. 
There's a diverse way that we can respond, and we need to bring 
all those to bear for each event.
    Ms. Kelly. Thank you.
    Mr. Hurd. So votes have been called, so the chair is going 
to declare a recess until immediately following the last vote.
    [recess.]
    Mr. Hurd. The Committees on Information Technology and 
National Security will come to order. Again, for the record, 
General Alexander had to depart for a prior engagement.
    And now I would like to call on the ranking member of the 
National Security Subcommittee, Mr. Lynch, for his round of 
questions.
    Mr. Lynch. Thank you very much, Mr. Chairman.
    And, again, I thank the witnesses.
    Mr. Singer, in your written testimony for today's hearing, 
one of the ways in which you indicate the United States could 
strengthen its cybersecurity protocols is through the continued 
development of international norms of conduct between nation-
states. And I think that's correct. But I do know that we have 
had a recent problem with the SWIFT network, which is an 
international banking network that is critical to our economy 
and especially to our international finance community.
    The difficulty there is that we've had evidence that there 
were several possible points of vulnerability, one being the 
Bangladeshi bank that was the principal bank, but also we've 
got cooperation by the Federal Reserve Bank of New York in 
forwarding $81 million to a Philippine casino. And so these 
people actually got away with this. This is $81 million through 
the SWIFT network that was actually achieved by the hackers.
    I know they tried to transfer about $1.8 billion. They got 
way with $81 million. Still, it's very concerning because of 
the importance of the SWIFT network.
    And I'm just wondering, if you go by the theory that we're 
only as strong as our weakest link, there are some suspect 
practices in Bangladesh and in the Philippines that people 
think may have contributed to that hack. And in addition, I 
think there are a dozen banks that have been now identified and 
had contact with FireEye, which is the security firm that was 
involved at the Bangladesh central bank.
    So all of the banks are southeastern banks, Southeast Asia. 
None of the banks, except for the Fed, and apparently they have 
the right codes and the right protocols from the Bangladesh 
central bank, but no banks in the United States, no banks in 
Western Europe. The implication could be that those banks in 
Southeast Asia did not have the firewalls, did not have the 
cybersecurity systems that the European banks and U.S. banks 
have.
    So how do we approach that? Especially, I mean, you could 
take an approach that people are not allowed to participate if 
they don't have a robust cybersecurity system in place. But 
that would put a lot of developing countries--Nigeria, perfect 
example, growing economy--that would shut a lot of people out 
from the international banking communities.
    So it presents difficulties. But the size of these hacks, 
these breaches, is problematic, so we've got to do something. I 
was just wondering if you had any thoughts since you raised it 
in your written testimony.
    Mr. Singer. I'd raise three things.
    First, I agree completely with you that the attack on the 
SWIFT system is significant to the U.S. because of what it 
means, not just for us, but the global financial system. So the 
first issue is, at least from colleagues in that world, they 
are not yet satisfied that the fixes that are needed to be 
made, that the assurance that these kind of breaches can't 
happen again, they haven't received it in sort of a third-party 
validated manner. The confidence in the system isn't there. So 
we need to focus on how do we restore confidence in the system 
that these fixes have been made.
    Second is the idea of norm building. Norm building is not 
just identifying what kind of attacks should or shouldn't be 
allowed to happen. It's also for us to figure out identifying 
sorts of targets that everyone can agree should be off limits. 
So, for example, this is an area of concord that we might have 
with a China, with a Russia, and the like, that attacks on the 
targets may not be militarily significant, but they harm us 
all. So the norm building is going to have to be--the 
difference with cold war where any kind of target was allowed, 
but the attack didn't happen, now we now have lots of different 
attacks, but it's focusing on which targets are allowed.
    The third category is actually linked to a different 
incident, which we haven't talked about, but I think is crucial 
to norm building, essentially, the failure of the U.S. and the 
international community to respond to the December hack of the 
Ukrainian power grid.
    This is the first proven takedown of this kind. It's the 
long-discussed nightmare scenario. It's a violation of a widely 
agreed norm not to target civilian infrastructure with the 
intent to cause widespread and disproportionate damage. And 
yet, in the story of action and consequence, we had action. So 
far we've had no consequence.
    So if we're talking about norm building, SWIFT is a great 
example, but the Ukraine one, I think, is even more important 
for us to wrestle with.
    Mr. Lynch. That's great.
    I'm not sure, if Mr. Painter, you have anything you would 
like to add?
    Mr. Painter. Yeah, if I could.
    Mr. Lynch. Or Mr. Kanuck or Mr. Hughes.
    Mr. Painter. Part of the solution to this is the long-term 
norm building. And this is something we've undertaken and, 
frankly, as I've said we've led on. And the idea is, there was 
this very high level of cyber war, which we don't see and, 
frankly, don't see every day, but there's a lot of conduct we 
see below that level. And we've made a lot of progress in a 
short time in not only getting countries that are like-minded 
to agree, but also getting China and Russia, for instance, to 
agree.
    And the norms we've been promoting are, for instance, don't 
attack the critical infrastructure of another country absent 
wartime that provide services to the public, don't attack 
certs, don't attack the computer emergency response teams. 
Don't use them for bad, use them for defensive purposes. And an 
expectation that you if you get a request from another state 
and there's malicious code coming or activity coming from that 
state, that you're going to mitigate it through technical or 
law enforcement means. And then, finally, don't steal the 
intellectual property using cyber means of another country for 
your commercial benefit.
    And that's new, and we're promoting that, and that's some 
of the stuff we have been doing in the G-20. If you look at 
literally every time the President has a meeting with a foreign 
leader, every single time, and the Nordic summit is an example, 
the Modi visit just recently is another, you'll see a big 
statement on cyber, including these norms. That's a real 
priority.
    Mr. Lynch. Yeah. Thank you.
    Mr. Hurd. I'd like to recognize Mr. Russell for 5 minutes.
    Mr. Russell. Thank you, Mr. Chairman.
    And, gentlemen, thank you for being here. It's been a 
really insightful discussion. And I guess what was mentioned 
earlier by General Alexander, I believe, talking about the rise 
of ransomware and these bitcoin hostage-taking of servers in 
businesses, we see it all the way down to small businesses, as 
a preferred method, too difficult to fight, not a big enough 
dollar amount to matter, and they're raking the public for 
millions of dollars.
    Could you speak to that a little bit? And then I've got 
another line that I'd like to discuss after that. Whoever would 
like to take that, or anyone that wants to comment on that.
    Mr. Kanuck. I think one of the issues you point to is the 
magnitude of specific incidents. And during my work at ODNI, 
and certainly in some of the Director Clapper's testimony in 
the past, he's talked about the cumulative effect of low to 
moderate level attacks that are already compromising U.S. 
economic competitiveness and national security. So I would 
simply draw attention to that.
    It's analytically recognized that the cumulative impact can 
be very significant even if individual events are not that 
large. And then that becomes a policy response or a legislative 
or regulatory issue for policy determinations of how and when 
to respond. But analytically speaking, the mere fact that 
you're not seeing singular gigantic events should not put 
anyone at ease about the problem, because the cumulative 
effects are very, very significant and deleterious.
    Mr. Russell. And I'm not even sure that it's due to these 
hostile nation militaries. I've actually had constituents that 
have, you know, they've been pirated. Their servers have been 
frozen. We've seen things like this.
    Mr. Singer, and then you, Mr. Painter. Thank you.
    Mr. Singer. I would agree completely. And it points, again, 
to the value of the resilience node and the strategy where the 
way to mitigate these attacks is to spread best practices and, 
second, to help spur on the development of the cyber insurance 
industry that both backstops these victims, but also help 
incentivize them to have the best practices that avoid it.
    Second, it's a great example of how it points to the value 
of an offensive hit back within the cyber realm wouldn't do 
anything to solve this problem. This is why you have to have a 
very diverse strategy.
    Mr. Russell. Yeah. I agree with that.
    Mr. Painter.
    Mr. Painter. And I would say three things.
    One, hardening the targets, just to emphasize hardening the 
targets, which is a difficult job, but so important. And our 
colleagues from DHS who are not here can speak to that 
especially, but also the private sector.
    The second is, this is an evolution of a threat we've seen 
before. I remember a case when I was at Justice where then-
Mayor Bloomberg--he wasn't mayor then--when Bloomberg had his 
business, someone hacked into his information. They threatened 
to expose all of it if he didn't pay them ransom. And he 
cooperated with the FBI, and they arrested the guy.
    So this is the newest iteration of that kind of a threat, 
and it certainly has very damaging characteristics. But one 
thing--and, again I'd defer to my Justice colleagues on this--
that we did in the fraud cases, where you had lots of small 
frauds, and they end up sometimes being the same actors, if you 
look at how to aggregate that, you share intelligence, so you 
look at the actors and you go after the actors.
    Mr. Russell. Well, and it seems to me--and, Mr. Singer, you 
had made mention of best practices and things--there's just 
some basic things that could be done. One, report it to the 
FBI. It might seem insignificant to them, to the business, but 
it is important in a collective thing. And then the other 
thing, routine backups, changes, all of that, things that we 
kind of take for granted.
    Really, we're looking at a sphere of technology not unlike 
100 years ago in the electronic warfare sphere. We were using 
telegraphs, then we were using wireless, then we had towers in 
communication and in satellite, and we saw the maturation of 
electronic warfare.
    And I would argue that a lot of our systems that we have in 
place today with regard to electronic warfare is the same 
sphere for cyber attack. They use the same power sources, the 
same type of infrastructure to spread out and branch even with 
the digital. I see it very much like that, electronic warfare, 
a war in the shadows.
    Isn't there a way that we could also do strike-back attack 
in that war on the shadows that's not public? I leave that with 
whoever wants to answer that.
    Mr. Hughes. I guess the one comment I would make to that is 
we've tried actually do the opposite of that through the 
release of our most recent strategy and try to normalize 
activities in cyber so it is out of the shadows, so there's 
more transparency around what we're doing and a better 
understanding both from our allies, the American people, as 
well as our adversaries as to what your intentions are.
    I think it's when folks view it as being in the shadows 
that there's more question about what we're doing to respond to 
malicious activity. So I this I we're trying to normalize 
activities in the domain and not make it more classified.
    Mr. Kanuck. I think Mr. Hughes raises an important point 
about increasing transparency. Clearly, certain intelligence 
activities, to include covert action, may have their place at 
certain times and in certain instances, but normalizing and 
increasing transparency could be greatly helpful.
    And I offer that what any nation would choose to do sets 
precedents that are very difficult to prevent other nations 
from copying in the future. So the question would have to be 
asked, would you want that to be the rule that all countries 
obeyed of operating on partial or medium confidence attribution 
to be taking clandestine action with deleterious effects?
    That could be a very dangerous environment if everyone is 
not acting with very, very high standards of attribution and 
preventing collateral damage.
    Mr. Painter. And if I may very quickly, I think, we can't 
discuss it in this environment, because it's a classified 
Presidential directive, but we can say there is a Presidential 
directive that deals with this. And it's important for 
countries to have doctrine around this, so there is that kind 
of predictability that Sean talked about.
    And our doctrine does two things. One, it makes sure that 
everything is integrated. We're not just thinking about these 
things separately, but we're integrating all our capabilities 
and all of the different equities involved. And, two, that 
we're going to favor network security and law enforcement as 
our first lines of defense and then look at other tools after 
that.
    Mr. Russell. And as I close, Mr. Chairman, thank you for 
your indulgence. I guess there's a part of me and the warrior 
in me, do you want to answer a Sony attack with a Stuxnet or do 
you want to wish that you had good practices and everybody 
cooperates? I personally think there has to be a balance of 
both. If we show ourselves weak, this problem is only going to 
grow.
    And thank you, Mr. Chairman. I yield back.
    Mr. Hurd. The gentleman from California, Mr. Lieu, you're 
recognized.
    Mr. Lieu. Thank you, Mr. Chair.
    Mr. Hughes, thank you for your public service. I have some 
questions for you.
    Earlier this year, Defense Secretary Carter stated that 
encryption was absolutely critical to the Department of Defense 
in terms of protecting cybersecurity. Would you agree with 
that?
    Mr. Hughes. Yeah. I mean, Department of Defense systems 
rely on encryption for our communication out in the field and 
with our partners. Absolutely.
    Mr. Lieu. He also stated that he opposed back doors that 
would weaken encryption. Do you agree with that as well?
    Mr. Hughes. I would support the Secretary's position for 
the Department.
    Mr. Lieu. And I just want to make sure, the Department's 
view is that we need to move to stronger encryption, not weaker 
encryption. Is that correct?
    Mr. Hughes. I support the Secretary's position on 
encryption.
    Mr. Lieu. Thank you.
    So now I would like to ask you, in your job, do you deal 
with telephone networks' communications as part of what you 
deal with in your role in terms of cybersecurity?
    Mr. Hughes. So I think there's collaborations between what 
my office does for operational oversight, international 
partnerships, and interagency collaboration of cyber policy and 
what the DOD CIO does from oversight from a network security 
and telephony perspective. My office, per se, does not cover 
telephony protocols or any of the technical specifics.
    Mr. Lieu. Okay. Earlier this year it was revealed there was 
a flaw known as the Signaling System No. 7 flaw in our 
telephone networks. And as I understand it, decades ago when 
they set up these networks, and let's say you had to make a 
call to Africa, the U.S. network would hand off to a European 
network or hand off to the African network. And it was assumed 
that these networks would be trusted. It turns out that some of 
these networks are owned by foreign adversaries like Russia or 
Iran or criminal syndicates related to these foreign 
adversaries.
    Have you looked at that issue at all?
    Mr. Hughes. I'd have to take that question for the record. 
It's not something that my office in particular has looked at.
    Mr. Lieu. Who in the DOD would be looking at that issue?
    Mr. Hughes. I'd have to take that for the record. I would 
assume the DOD CIO would look into that, but I would have to 
get back to you on that.
    Mr. Lieu. If you could, that would be great. Because, as I 
understand it, if a foreign government exploits this SS7 flaw, 
which any foreign government that has a telephone network can, 
it then allows them to listen in on the telephone conversations 
of anybody's cell phone just knowing that cell phone number, 
track their movements, and get their text messages.
    It always struck me as odd when we go on these codels 
abroad, we get all these briefings on don't take your 
smartphones, have these protections, make sure you follow these 
cybersecurity hygiene tips when you're in these foreign 
countries, when it turns out these foreign countries can just 
listen in on our phone conversations knowing our cell phone 
number right here in the United States.
    So if we could get some information back on that and 
whether the problem has been fixed, it would be helpful.
    Mr. Lieu. And then I have some questions related to the 
Obama administration's new Cybersecurity Workforce Strategy 
that was announced yesterday. One of the proposals is to 
increase funding and salaries to recruit and retain talented 
cyber professionals.
    So the question for you, Mr. Hughes, as well as you, Mr. 
Painter, I'd like to know what is the issue with that, how 
important is it? And second, what is your sort of view on your 
ability to retain people once you get them in the cybersecurity 
field?
    Mr. Hughes. So I can speak to the Secretary's Force of the 
Future initiatives around the Department of Defense. I'm not 
familiar with the specific program that the administration just 
released writ large.
    Specific to Department of Defense, we're always looking at 
novel ways to bring in and recruit and retain more talented 
professionals across a variety of domains. We understand the 
acute challenges of retaining our highly trained and skilled 
personnel that operate on the cyber systems.
    And so the Secretary's Force of the Future initiative is 
looking at a variety of different ways to have more 
permeability between private sector and government service, as 
well as different ways to bring in folks to serve in different 
positions, both military and civilian.
    Mr. Lieu. Thank you.
    Mr. Painter. And I would say, yes, this is part of the 
larger administration attempt to really bolster our 
cybersecurity. One of the problems we face, not as much in my 
shop because I'm a policy shop, but certainly throughout the 
government, is finding qualified people who do cybersecurity 
work. Competing with the private sector. It's still a fairly 
small pool. I'd say that there are schools, and we have been 
working with schools to get programs to have more people 
dealing with this.
    I should say that I was a 9-year resident of your district, 
and I suspect that many of them live in your district, and I do 
miss it every day. So if you can convince them to come out 
here, that would be great.
    Mr. Lieu. Thank you.
    Thank you. I yield back.
    Mr. Hurd. Mr. Hice from Georgia is recognized for 5 
minutes.
    Mr. Hice. Thank you, Mr. Chairman.
    I want to begin with you, Mr. Hughes, but if others of you 
have some input, feel free to jump in here. But what are the 
factors that define a cyber act of war as opposed to a cyber 
attack?
    Mr. Hughes. So, again, as I mentioned in my opening 
statement, cyber incidents are reviewed on a case-by-case 
basis. We take into account loss of life, injury to person, 
destruction of property, and the national security leadership, 
and the President will make the determination if it's an armed 
attack. But I would defer to Mr. Painter for a more thorough--
--
    Mr. Painter. Yeah, I echo that completely. I think it's an 
effects-based test, just like it is in the physical world. So 
we are not using a separate test for the physical.
    Mr. Hice. So at what point do we--what are the rules of 
engagement that would determine a response, be it a cyber 
response or kinetic?
    Mr. Hughes. Again, not to sound cliche, but, again, it will 
be on a case-by-case basis. We will evaluate each incident on 
its merits and make a determination, again, through a whole-of-
government collaboration, on what the response might be.
    Mr. Hice. So who makes that decision? Is it the President 
alone or are there multiple agencies or representatives from 
the agencies that would be involved?
    Mr. Hughes. The national security leadership, in 
conjunction with the President, make that determination.
    Mr. Painter. But I would say that, as we look at these, 
there are a range of different activities. And you use the term 
cyber warfare, but the question often is what constitutes an 
armed attack under international law that would then give a 
right to self-defense. But even if it's below that threshold, 
we still have a way--there's a number of ways to respond. It 
could be kinetic. It could be through cyber means. It could be 
through economic means and sanctions. It could be through 
diplomacy. It could be through indictments and law enforcement 
actions.
    And what we have done, and this is one of the things, 
having tracked this for so long, I've seen as a real change and 
a really beneficial change, is there is a very, very strong 
interagency process that as we're looking at these threats--I 
mean, Aaron and I, in particular, we talk all the time--but all 
the different interagency colleagues do talk about these 
threats, talk about possible responses.
    In the end, it's up to the National Security Staff and the 
President, but we look at all these different opportunities. If 
it's a criminal matter, Justice will take it, for instance. So 
we'll look at our tools.
    Mr. Hice. I'm concerned with the lack of clarity on this 
and the bureaucratic, multilayered involvement to make a 
decision. And now we have Cyber Command in Fort Gordon.
    If CYBERCOM were elevated to a full combatant command, 
would that help?
    Mr. Hughes. I think we're always looking at ways to make 
the military establishment more efficient and effective. I 
wouldn't say that elevation of Cyber Command in and of itself 
would help in the determination of a cyber incident being an 
armed attack versus other types of malicious activity.
    Mr. Hice. Mr. Singer.
    Mr. Singer. To weigh in from outside of government, 
essentially, in defining whether it's a war or not, many of the 
same measures would be used, whatever the means, cyber or 
physical. To put it bluntly, it is throughout history it's 
decided by does it combine a political intent and mass violence 
of some kind, physical violence, death, injury.
    So, as an example, there are cyber attacks that steal 
secrets, they are incredibly vexing, but no Nation has ever 
gone to war over just because their secrets are stolen. The 
judgment, though, is a political judgment on when it's an act 
of war. And my hope is, and this is the value of this hearing, 
that it's not just the President or the NSC, but it's also 
Congress traditionally has decided when the U.S. is at war or 
not.
    Mr. Hice. Well, yes, to some extent. But let's go down that 
path a little bit further then. Can a member of NATO invoke 
Article 5 for a cyber attack?
    Mr. Painter. Yes, they can. In fact, there's been a lot of 
activity in NATO since 2012. Cyber is part of NATO's operating 
construct. We just had a leaders-level meeting for NATO where 
they agreed, among other things--they previously agreed that 
international law applies, including the Law of Armed Conflict. 
They are doing cyber strategies that Aaron can talk more to. 
But one of the things that was agreed to back in, I think it 
was 2014, is that cyber could qualify under Article 5.
    Mr. Hice. Okay. Well, then, let me ask this. Does NATO have 
a definition of what constitutes a cyber attack, seeing that we 
don't?
    Mr. Painter. First, I think it's not true that we don't 
have a definition. We just talked about what would qualify and 
the factors you would use.
    I would have to go back and look at NATO's doctrine, but I 
think they have a lot of focus on this, they understand the 
risks out there, and they are building the capability.
    Mr. Hice. All right. Well, our definition was not clearly 
communicated to me. It was going to be left up to the President 
and others based on certain factors and somewhere they're going 
to make a decision.
    But I assume my time has expired. Mr. Chairman, I thank you 
for your indulgence. I yield back.
    Mr. Hurd. The gentleman from Iowa. Mr. Blum, you are 
recognized for 5 minutes.
    Mr. Blum. Thank you, Mr. Chairman. I appreciate it.
    And thank you to our witnesses today for providing us some 
insights into this growing problem of cybersecurity.
    I come from the private sector. I've been operating in the 
private sector my entire career. So I would like to chat a 
little bit about China and the United States private sector. 
And while most of my questions would be toward Mr. Painter from 
the State Department, anyone else feel free to jump in.
    Mr. Painter, the State Department's Overseas Security 
Advisory Council, OSAC, recently concluded that, despite 
media's reporting that Chinese cyber attacks are decreasing, 
cases of a Chinese espionage campaign against the U.S. private 
sector are ongoing. Which sectors, Mr. Painter, do you think 
are most at risk for these Chinese cyber attacks?
    Mr. Painter. Look, I think the DNI has talked about this, 
and we continue to see intrusions in the systems, both 
government systems and private sector systems, for espionage 
purposes.
    What we agreed to with China, which was significant, is 
that they would not break into private sector systems to steal 
intellectual property or trade secrets or business or 
proprietary information for the purposes of benefiting their 
commercial sector.
    On that, we have been pushing them very hard. There's a 
number of ways we have been doing that. It was really a 
remarkable fact that they came to that agreement when President 
Xi was here. And we said we are going to hold them accountable. 
We are still going to use all the tools we have.
    And the jury is still out. I think Admiral Rogers recently 
testified, saying we are watching closely. But the jury is 
still out.
    Mr. Blum. Any other comments on that question?
    Mr. Kanuck. Again, I left government on May 9 of this year, 
but up until that point, I would concur with what Chris has 
just said. Having been the office that was charged with making 
those determinations on behalf of the U.S. Government, the jury 
is still out or was as of May 9.
    And I would just offer two other considerations that one 
has to think about, and I mentioned this in my written 
statement. Modus operandis may change, so behavioral patterns 
may change. And the question of volume or quantity versus rate 
of success and quality of foreign activities is something that 
needs to be considered.
    So I would recommend that if that is an issue that is of 
interest to you, sir, that's probably better for closed 
hearings with my colleagues or others from the intelligence 
agencies in the future. But asking what the current impacts are 
and what, if anything, has changed and metrics, that kind of 
attribution analysis is very, very difficult and you quickly 
get into classified discussions. But it's a worthwhile question 
and one we grappled with for my 5 years at ODNI.
    Mr. Blum. Mr. Singer.
    Mr. Singer. If I understood your question, it was in 
essence who is being targeted, and it's a confluence of two 
factors. It's, one, what are their national priorities for 
economic success. To put it another way, what industries do 
they want to be global leaders. And those are industries that 
have been most targeted for intellectual property theft in the 
past. The agreement may change that.
    And the second is vulnerabilities, where are the weak links 
and who are they able to get into, and that, again, points to 
the value of resilience-based strategy where it's effective be 
it against the threat of intellectual property theft to the 
threat from cyberterrorist to China in a military means. Good 
defense actually is good defense.
    Mr. Blum. Mr. Painter.
    Mr. Painter. And I would certainly agree with the hardening 
of the targeted issue, which we've raised a number of times. 
But I would also say, it's not just the U.S. So, one, the 
important thing is a lot of other countries have raised this 
concern. The U.K. has raised it, Germany has raised it, and 
others. And the G-20 statement that I talked about where there 
is an affirmation among the leaders of the G-20 that this 
conduct was impermissible I think is also important. It sets a 
metric that we can hold people accountable by.
    Mr. Blum. Relative to China, and since we're talking about 
cyber attacks in the private sector, one would think the reason 
for China doing this would be economic. But is there any 
military reason China would be attacking our private sector? 
Maybe Mr. Hughes would have some insight into this.
    What are your thoughts? Are these attacks, cyber attacks, 
mainly private sector economic or are they also military?
    Mr. Hughes. I think they're probably targeting our private 
sector companies to enhance their national security apparatus 
as well. I'm sure that some of our defense industrial base 
companies are being targeted by the Chinese to benefit their 
military development in advancement of their technologies.
    Mr. Blum. Mr. Painter, any other insights on that?
    Mr. Painter. No, I would agree. I would think that you'll 
see, just as the DNI set a full spectrum of targets given the 
information that's out there.
    Mr. Blum. Have, in fact, China's cyber attacks, the amount 
of them, decreased over the last 5 years? Is that a fact?
    Mr. Hughes. I would defer that question to the closed 
hearing and to the intelligence community.
    Mr. Painter. I would agree with that. I think that would be 
a ripe subject for the closed hearing.
    What I can say is, in terms of the theft of intellectual 
property for commercial purposes, as Admiral Rogers said, the 
jury is still out on that, and I believe the DNI said that too. 
But with respect to any more detail, we can get into that in 
another setting.
    Mr. Blum. Mr. Singer.
    Mr. Singer. As to the question on the goal of intellectual 
property theft not just being economic, it definitely has a 
national security side. And the easy answer to you would be 
Google images of F-35 and J-31, and you will see a remarkable 
similarity between our most expensive weapons project and their 
new jet fighter system. And either it's coincidentally they 
look alike or there's something else going on.
    Mr. Blum. What can Congress do to provide additional 
deterrence to countries like China? It may be criminal law, for 
example. What more can we do? What are your suggestions? And 
I'm thinking of China specifically here, but it applies to all 
nations, obviously.
    Here's your chance. Here's your chance. Tell us what to do.
    Mr. Kanuck. I would offer that this is really an issue of 
strategic reality, incentives, disincentives, and consequences. 
We've talked about attribution, public attribution, and that 
there may be no bite behind the bark. I would offer you have to 
look at very complex bilateral relationships, certainly if 
you're looking at United States and China, but also with other 
countries, and ask, what would strategically incentivize or 
decentivize changes in behavior? Having served 16 years in the 
intelligence community, for me it was about what was actually 
happening, not what was being said.
    And, again, to get at the very particulars of that, about 
volumes of activity or impact of activity, that is, again, 
something I would say that the current serving members of the 
intelligence community and other executive agencies would be 
better off discussing in a closed session.
    Mr. Painter. I would just add that the fact that in this 
case the President, and at the highest levels of our 
government, obviously, the President raising this with the 
President of China as not just an issue of cyber versus cyber, 
but an issue that affected the overall relationship, pattern 
had a big impact.
    Mr. Blum. And if I have time for one more question, Mr. 
Chairman?
    I would just like to ask the panel, has there been any 
noticeable effect following the Department of Justice 2014 
indictment of the PLA officers? Has there been any noticeable 
effect?
    Mr. Kanuck. From my observation, that became a strong topic 
of discussion between U.S. Government and Chinese Government 
officials, and I'd defer to my colleagues who are still in 
government regarding there. And there were also negative 
ramifications for certain U.S. companies who had business 
opportunities in China very quickly curtailed.
    So it had an economic and business impact on U.S. Entities 
and it also certainly was a central part of the discussions, of 
the policy discussions, which are better answered by the policy 
departments.
    Mr. Blum. Mr. Painter.
    Mr. Painter. And I'd defer to my colleagues who are not 
here from the Department of Justice, but I would say that, yes, 
the dialogue we had with the Chinese about deescalation and 
norms in cyberspace was suspended--we have now gotten back on 
another foot on that--which seemed an odd reaction to that.
    But, nevertheless, I think it showed that we were serious, 
certainly, and that when, you know, that combined with the 
President raising it and the threat of sanctions and other 
things, I think likely brought the Chinese to the table. But 
that is more an assessment for others.
    Mr. Blum. Any insights on that, Mr. Hughes?
    Mr. Hughes. Again, I would also defer to the Intel 
community for a classified assessment and then Department of 
Justice.
    Mr. Blum. I have no further questions, Mr. Chairman. I 
yield back the time I do not have.
    Mr. Hurd. I recognize myself for 5 minutes.
    Once again, gentleman, thank you all for being here. Thank 
you for your patience. You guys are all very influential in 
keeping us safe, and I appreciate that. Sorry to keep you away 
from your day jobs too long.
    This is a funny topic for me to be the chairman of, 
considering I spent most of my adult life in the clandestine 
world, right? But having everyone that has a role in this side 
by side, there's value to this. And I've taken a lot away from 
these conversations, so I really appreciate that.
    And I have some basic questions. My first question is to 
everybody. And I don't ask this as a yes-or-no question. It's a 
really basic question. I'd welcome a little detail.
    And I'll start with you, Mr. Hughes. Do the bad guys know 
what we can do?
    Mr. Hughes. I think, similar to the U.S. national security 
infrastructure having intelligence agencies, our adversaries 
are also doing collection against us. In some instances, they 
are likely tracking our TTPs. So I would assert that they have 
some idea of our ability to exploit networks and get 
information, absolutely.
    Mr. Hurd. Mr. Painter.
    Mr. Painter. Yeah. I think also there's a benefit in the 
bad guys knowing what we can do to some extent. I mean, we 
certainly in, for instance, the criminal law context want to 
project that there will be consequences for people's actions, 
so we want that, that we have economic tools we can use, we 
have other tools we can use. That's part of the deterrence 
message, is the bad guys knowing, whoever the bad guy might be, 
what you can do.
    And in that, I think, what I have seen personally is that 
we have made real progress in communicating that. One of the 
questions was asked earlier about the Bangladeshi situation. 
Part of this is outside the U.S., which is part of my gig, 
which is in working with other countries around the world so 
they have these capabilities too.
    Mr. Hurd. And, Mr. Kanuck, before you get to that question, 
I am going to ask you, Mr. Painter, to pick up on something you 
just said. Ukraine, Romania, Latvia, where are those countries 
where the legal framework is not there to allow the right kinds 
of prosecution, because when it's not--we know how many attacks 
are coming from these different countries--because there's not 
a legal framework in which for them to get prosecuted or sued.
    Where are those places of biggest concern to you? What 
additional pressures should we be putting on these countries in 
order to establish that kind of framework?
    Mr. Painter. So the countries--I mean, I think we've made a 
lot of progress, especially my Department of Justice 
colleagues. And one of the things that we do is capacity 
building. We work with DHS and DOJ. We've done things in 
Africa, a lot of regional trainings in Africa. We've worked 
with the EU and others.
    We want every country to have strong cybercrime--you know, 
you can remember the ILOVEYOU virus, where the Philippines 
didn't have a law to punish this. And now they do. In fact, 
they've gone through several iterations of that.
    So I don't think it's helpful to single out countries and 
saying you're doing a bad job. I think it's more helpful to 
help us get in there and work with them, because they also 
recognize the economic value of this. If they have good 
cybercrime laws, people want to invest in their economy. You 
are going to promote innovation.
    I think the Budapest Convention, which is the convention--
Budapest Cybercrime Convention--the one that we promote around 
the world, there's been a number of new signatories recently. 
We're working on getting more in Africa and Asia. Japan joined 
about a year and a half ago. So that's part of the push.
    Now, there are other countries, and this goes to more of 
the policy issue, like Russia and China, who want a global--a 
U.N. Convention, and we think that's just wasting time. This is 
an urgent issue now and countries need to be prepared for it.
    Mr. Hurd. Mr. Kanuck, not only do the bad guys know what we 
can do, is there stuff that we should ensure the bad guys know 
that we can do? And the third piece is, I think the difficulty 
for a lot of us up here is when you talk what is a digital act 
of war, the difference between a digital act of war and a gray 
area and a red line, what does all that mean. And we've had 
conversations about what is off limits. And I think sometimes 
part of the public conversation can articulate in a more 
granule level what is off limits, right?
    And, Mr. Singer, you made a great point about the Ukrainian 
grid attack. If you look at, what is it, the U.N.'s Chapter 
VII, Article 39, 41, 42, and 51 that talk about those things 
and where you can defend yourself, the grid is pretty clearly 
articulated there.
    What are some of those other gray areas that we should be 
exposing? I know there were a lot of questions in there, but 
you are a smart guy, Mr. Kanuck, you can follow them all.
    Mr. Kanuck. I'll do my best to succinctly hit the three. 
Starting with the ones my colleagues have answered, I think our 
sophisticated adversaries fully understand the laws of physics, 
the nature of telecommunications equipment, how electromagnetic 
spectrum operates, and how software logic code does. They may 
not know exactly what accesses or we may not exactly what 
accesses any foreign government may have on any given day or 
what hardware or software implants may exist. I would liken it 
to a poker game where everyone knows the cards in the deck, you 
don't know who is holding which cards in which hand, and those 
capabilities may be fleeting and influx in any given time.
    Secondly, is there a benefit to letting anyone know what we 
can do in certain instances? Again, while I appreciate 
clandestine intelligence activities as a 16-year intelligence 
professional, there may also be reasons in certain cases to 
declare or show certain capabilities akin to having a standing 
navy or other armaments that are known for a credible deterrent 
effect. However, the nature of cyber tools differs in that, if 
you reveal the particularities of a capability, an adversary 
may be able to develop countermeasures. So there would be a 
very sensitive balance there, certainly at least against your 
most sophisticated adversaries.
    Regarding gray areas and red lines, I'd actually like to 
draw attention to two important points which are on the margins 
of some of the discussion we've heard today. A lot of 
discussion has focused on act of war. I actually think that's 
the wrong focus, as I stated in my written statement.
    Most of what we have seen foreign state actors doing has 
been intentionally designed to operate below the threshold that 
would trigger Articles 2, 4, Article 51 of the U.N. Charter, or 
Articles 4, 5 of the Washington Treaty. There is cognizance by 
many actors to use cyber technologies in an asymmetric coercive 
tool for influence with the express interest of avoiding 
military conflict. So that is actually how these weapons and 
tools are being most utilized.
    Mr. Hurd. So, Mr. Kanuck, on that, should we be lowering 
the bar?
    Mr. Kanuck. Again, that's a policy decision. I think, for 
starters, we need to be cognizant of these low- to moderate-
level activities and their cumulative effect, like we were 
discussing earlier with one of your colleagues. Where you 
actually draw red lines, that is a policy question. I think 
there are certain casualty levels and certain property damage 
levels that under an effects-based analysis would constitute an 
armed attack or an act of war. But that analysis, as has been 
stated earlier by the executive branch representatives here, is 
the same that you would use for noncyber modalities.
    The last thing I'd like to, if I may just mention, focus 
is, we need to pay more attention to what will be a problem 
more and more in the future of attacks on the integrity of 
data, not on its confidentiality and not on its availability.
    Director Clapper has made reference to that in his last two 
worldwide threat assessments. And I fear, if ransomware is 
today's news, the future news is going to be integrity, 
integrity, value of information, not access to it.
    Mr. Hurd. Turning 10,000 into 1,000 or changing----
    Mr. Kanuck. Changing what's seen on an air traffic 
controller's screen. Changing information in the Twittersphere 
that will affect investors' actions. Changing the situational 
awareness that a military commander is seeing. Can you trust 
the information you're seeing to make actions upon it? That is 
actually the value of information, and that is what, 
unfortunately, this conflict space will turn to in the future 
more and more.
    Mr. Hurd. And, Mr. Singer, I'm going to add a question to 
you as well. We talked about effects-based approach. Does an 
effects-based approach include intended effects or only the 
actual effects? Can we determine intended effects? Should we be 
trying to determine intended effects? And should our response 
be based on the interpretation of what we may think those 
intended effects are?
    Mr. Singer. So I'll hit that question first, because that's 
where I do believe the idea that we solely use an effects-based 
judgment is just not--it's not the way we actually approach it. 
So to use a noncyber example, a bullet crosses the border into 
your district and kills someone--effect--but we will judge 
whether we are at war or it is an act of war from Mexico as to 
whether it is fired by Mexican Government with intent to kill 
or is it an accidental discharge, be it by a Mexican government 
individual. Then we would ask the same question if it was a 
civilian or not.
    Intent does matter. It's one of the things that will be, at 
least in the political judgement, the kind of political 
judgment that would be made in the White House, to 
deliberations in Congress. If it's going to make a declaration 
of war, it will judge intent as much as effect. The challenge, 
kind of figuring out the intent, sometimes is going to be 
unclear.
    Mr. Hurd. Well, over the last couple of weeks we've learned 
a whole lot about intent.
    Mr. Singer. Yeah. But the second thing to hit your question 
about awareness. My belief is that the bad guys have no doubt 
of our offensive cyber capability. If they had any confusion 
about it, we had a series of policymaker leaks about the 
Stuxnet operation, and then we had a massive dump from Edward 
Snowden, which caused us a lot of problems, but it also showed 
off we are quite good in this realm.
    The challenge is, if you look at the data, there is no 
evidence that that raised awareness of our offensive capability 
actually deterred attacks. Overall, data loss to America, in 
general, citizens, went up 55 percent the year after the 
Snowden leak. To many of the cases that we've talked about 
today, whether it's OPM, to ones we haven't talked about, the 
attacks on the Joint Chiefs' email system, those all happened 
afterwards.
    But that's not to say that deterrence isn't working. So, 
for example, there's lots of things that a China, a Russia, an 
Iran could do in this realm. They don't, in large part not 
merely because of our offensive cyber capability hit back, but 
because we can hit back in other realms.
    Mr. Hurd. Well, I'd like to thank the ranking member for 
indulging me in going over.
    And I'm going to ask this last question to all of you all. 
I recognize the difficulty in the question that I'm asking. 
It's probably not as difficult for Mr. Singer to answer, and 
Mr. Kanuck has not been out of government long enough to be 
able to answer this question easily. You all are involved in 
policy, you all are involved in operational activity.
    But I'm going to ask you, what is the best next action for 
this House, for Congress on this topic to move the conversation 
to where we are having a whole-of-government response or 
improving a whole-of-government response? You know, not the end 
goal, right? What's the next step? What would you all like to 
see this legislative body do?
    And you don't need to take forever. We've already run out 
of time.
    But, Mr. Singer, I think it's going to be easiest for you 
to answer this question. So let's start with you and go in 
reverse order.
    And, Mr. Hughes, you get to have the last word.
    Mr. Singer. I'll just hit, again, the written testimony 
points, particularly about how do we build up our resilience. 
And there's a series of things that Congress could do, and some 
of they are quite as simple as, for example, holding a hearing 
on the cybersecurity insurance industry and how could we 
bolster it, to there's actual small step mechanisms that could 
help it go on, to the examples of are there organizations that 
could be created and the like.
    Maybe to sum it up, the question for the Congress is, we 
know there's a series of best practices out there in private 
sector and government. How do you help aid their spread and/or 
where the executive branch has made a commitment to implement 
them, how do you hold their feet to the fire to ensure that 
they are actually doing it, particularly across another 
administration?
    Mr. Hurd. And we've got the bipartisan part down in your 
testimony. I think this is one of the things that has been 
great about this committee.
    Mr. Kanuck.
    Mr. Kanuck. It's been mentioned by a couple of my 
colleagues already, but I want to fully add my support to the 
discussion about resilience, and as one aspect of that, the 
growing insurance market in this space. When we did our 
analytic exchanges and outreaches we quickly learned from my 
old office that resiliency was a necessary component for policy 
options. If you are not safe, you will be restricted in what 
you can be doing offensively, defensively, and otherwise.
    I'd also like to add, if we're talking from a legislative 
perspective, I do believe that Congress can have an impact on 
the Federal workforce. And as a couple of my concluding 
statements in my written statement said, this is a qualitative 
not a quantitative game. Cyber expertise is about having the 
highest level of competence.
    The greatest breakthroughs in information technology have 
not been because there were a thousand people in the room. The 
greatest breakthroughs in encryption, in hardware, in software 
have been by small entities. We need to ensure that some of 
those cyber Olympians are working in the Federal workforce and 
stay there.
    Mr. Painter. Amen.
    Mr. Kanuck. My last comment will be, it's wrong to think 
about this as cybersecurity. There is no solution for perfect 
cybersecurity if you are up against determined, well-resourced 
adversaries. This is about risk management and risk mediation. 
The future discussions would be most served for the public good 
if they were about a cyber risk discussion, or even better, 
information risk, to include integrity concerns.
    Shifting that intellectual framework to information risk 
will help you a long way towards addressing some of the issues 
that this panel has raised today.
    Mr. Hurd. Thank you.
    Mr. Kanuck. Thank you.
    Mr. Hurd. Mr. Painter.
    Mr. Painter. So I think the number one thing, and given my 
experience, is to maintain the momentum and the focus on this 
issue and the education on this issue.
    Look, even 5 or 6 years ago, at the end of the Bush 
administration, there was a conference of national cyber 
initiatives. Back in 2003, we had a cybersecurity strategy that 
became shelfwear, because people at the time weren't ready to 
deal with it.
    I think now we're in a different place, but I think it 
needs to be made a priority and continue to be a priority not 
just for this administration, but whoever the next 
administration is. Now, I think we're in good shape there, 
because I think now, because there are hearings like this and 
your Senate colleagues in SFRC, I've testified before them, 
we've done a report to Congress about all of our activities 
across the board in cyber, including throughout the different 
range, I think that's all important. But the focus really needs 
to continue on this and be seen as a priority.
    Five years ago, when my office was created at the State 
Department, there was no real cyber diplomacy program. We now 
have 22, I think, countries around the world that have 
counterparts to me that didn't exist, where we can actually not 
just have dialogues about policy, but when we have an attack 
like these denial-of-service attacks against financial 
institutions, I can reach out to counterparts and I can say: 
Look, this is important. This is not just the normal technical 
issue. So that's important.
    What I'd say we don't need from my Department, because we 
really crosscut among all the different parts of our 
Department, is I know there is some proposed legislation to 
kind of stovepipe this issue and put it into one particular 
chain and then create more bureaucracy, in my opinion. I'd say 
that's not helpful to us. What we really need is to be able to 
mainstream this throughout the Department and really throughout 
our foreign policy.
    Mr. Hurd. Mr. Hughes, you get the last words. No pressure.
    Mr. Hughes. Well, first and foremost, as my panelists have 
said, continue the dialogue. I think awareness across the 
United States and the American people of cyber threats and 
vulnerabilities is important. The adversaries aren't using 
sophisticated tactics to steal data, they're using the low-
hanging fruit, and there's such a lack of basic hygiene that 
they don't need to resort to nation-state level capabilities to 
steal information.
    So continuing the dialogue and awareness is important, 
because the interdependencies between government networks, 
private sector networks, foreign entities, I mean, we are all 
so intertwined that a vulnerability in one can lead to a 
vulnerability for all.
    And then, tactically, I would second, again, what Mr. 
Kanuck said in terms of workforce--workforce improvements, 
workforce management. I know the most recent NDAA provided the 
Department of Defense a little bit more flexibility with the 
cyber excepted service provisions. We plan to take advantage of 
that to improve our ability to hire and retain talented cyber 
professionals.
    Mr. Hurd. Excellent.
    Mr. Painter. I would just like to add that also, I want to 
thank Congress for the recent cyber information-sharing 
legislation. That has helped.
    Mr. Hurd. You're welcome.
    Without objection, I'd like to enter my full opening 
remarks for the record.
    So ordered.
    And I would like to thank our witnesses today for taking 
the time to appear before us. This is a very important 
conversation that needs to continue.
    And if there's no further business, without objection, the 
subcommittees stand adjourned.
    [Whereupon, at 3:43 p.m., the subcommittees were 
adjourned.]

                                 [all]